# Maintainer: Alexey Pavlov <alexpux@gmail.com>

pkgname=ca-certificates
pkgver=20150426
pkgrel=1
pkgdesc='Common CA certificates'
arch=('any')
url='http://www.mozilla.org/projects/security/certs/'
license=('MPL' 'GPL')
source=("http://ftp.debian.org/debian/pool/main/c/${pkgname}/${pkgname}_${pkgver}.tar.xz"
        'CAcert.org_root.crt::http://www.cacert.org/certs/root.crt'
        'CAcert.org_class3.crt::http://www.cacert.org/certs/class3.crt'
        'StartSSL.sub.class1.server.ca.pem'::'http://www.startssl.com/certs/sub.class1.server.ca.pem'
        'certdata2pem-redhat.patch'
        'diff-from-upstream-2.3.patch'
        'trust-fixes'
        'update-ca-trust'
        'update-ca-trust.8')
depends=('bash' 'openssl' 'findutils' 'coreutils' 'sed' 'p11-kit')
makedepends=('asciidoc' 'python2' 'libxslt' 'sed' 'grep')
install='ca-certificates.install'
sha256sums=('37dbaa93ed64cc4ae93ac295f9248fbc741bd51376438cfb1257f17efab5494f'
            'c0e0773a79dceb622ef6410577c19c1e177fb2eb9c623a49340de3c9f1de2560'
            'f5badaa5da1cc05b110a9492455a2c2790d00c7175dcf3a7bcb5441af71bf84f'
            '4eed32f02c1321685e08a06e104d69aa69bb5f1e2e9c251dc8d7e0b4c6e24a5e'
            '4b44df3a92438555e347f74a2b2da3670eaae3c38b349308fff5fb6b80b938aa'
            '5f7981a4bea23ac5e3726b64cc65f79863567b75fc0f8d671ee3db6dd54400a2'
            'eeebba0de2635ba4115c05b2acc95d475d47aa58796bb0868203805212f50381'
            '75ef2f4b0fddd2ca3c69b234a6abb66fd732e4af96814b65dcedb0dd52018381'
            'a73c6430e734178b9aa4d303709470383bc2b1cfbeb0d44fe34615df812f479d')

prepare() {
  cd ${srcdir}/${pkgname}-${pkgver}
  cp ${srcdir}/trust-fixes mozilla/
  cp ${srcdir}/update-ca-trust sbin/
  cp ${srcdir}/update-ca-trust.8 sbin/
  patch -p1 -i ${srcdir}/certdata2pem-redhat.patch
  patch -p0 -i ${srcdir}/diff-from-upstream-2.3.patch
  sed "s|/usr/bin/python|/usr/bin/python2|g" -i mozilla/certdata2pem.py
}

build() {
  cd ${srcdir}/${pkgname}-${pkgver}/mozilla
  mkdir -p legacy-{enable,disable}
  /usr/bin/python2 certdata2pem.py
  
  (
    cat <<EOF
# This is a bundle of X.509 certificates of public Certificate
# Authorities.  It was generated from the Mozilla root CA list.
# These certificates are in the OpenSSL "TRUSTED CERTIFICATE"
# format and have trust bits set accordingly.
#
# Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
#
# Generated from:
EOF
    grep -w NSS_BUILTINS_LIBRARY_VERSION nssckbi.h | awk '{print "# " $2 " " $3}';
    echo '#';
  ) > ${srcdir}/${pkgname}-${pkgver}/ca-bundle.trust.crt

  # Make sure repeat runs don't accumulate duplicate certs.
  if [ -f ${srcdir}/${pkgname}-${pkgver}/ca-bundle.neutral-trust.crt ]; then
    rm -f ${srcdir}/${pkgname}-${pkgver}/ca-bundle.neutral-trust.crt
  fi
  if [ -f ${srcdir}/${pkgname}-${pkgver}/ca-bundle.supplement.p11-kit ]; then
    rm -f ${srcdir}/${pkgname}-${pkgver}/ca-bundle.supplement.p11-kit
  fi

  > info.trust
  > info.notrust

  # Add custom certificate
  echo '# alias="StartCom Class 1 Primary Intermediate Server CA"' > StartSSL.sub.class1.server.ca.crt
  echo '# trust=CKA_TRUST_CODE_SIGNING CKA_TRUST_EMAIL_PROTECTION CKA_TRUST_SERVER_AUTH' >> StartSSL.sub.class1.server.ca.crt
  echo '# distrust=' >> StartSSL.sub.class1.server.ca.crt
  echo '# openssl-trust=codeSigning emailProtection serverAuth' >> StartSSL.sub.class1.server.ca.crt
  cat "${srcdir}/StartSSL.sub.class1.server.ca.pem" >> StartSSL.sub.class1.server.ca.crt
  
  local f=
  for f in *.crt
  do
    echo "processing ${f}"
    tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' ${f}`
    distbits=`sed -n '/^# openssl-distrust/{s/^.*=//;p;}' ${f}`
    alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' ${f} | sed "s/'//g" | sed 's/"//g'`
    targs=""

    if [ -n "${tbits}" ]
    then
      for t in ${tbits}
      do
        targs="${targs} -addtrust ${t}"
      done
    fi
    if [ -n "${distbits}" ]
    then
      for t in ${distbits}
      do
        targs="${targs} -addreject ${t}"
      done
    fi
    if [ -n "${targs}" ]
    then
      echo "trust flags ${targs} for ${f}" >> info.trust
      openssl x509 -text -in "${f}" -trustout ${targs} -setalias "${alias}" >> ${srcdir}/${pkgname}-${pkgver}/ca-bundle.trust.crt
    else
      echo "no trust flags for ${f}" >> tee -a info.notrust
      # p11-kit-trust defines empty trust lists as "rejected for all purposes".
      # That's why we use the simple file format
      #   (BEGIN CERTIFICATE, no trust information)
      # because p11-kit-trust will treat it as a certificate with neutral trust.
      # This means we cannot use the -setalias feature for neutral trust certs.
      openssl x509 -text -in "${f}" >> ${srcdir}/${pkgname}-${pkgver}/ca-bundle.neutral-trust.crt
    fi
  done

  for f in legacy-enable/*.crt; do 
    echo "processing ${f}"
    tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' ${f}`
    alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'`
    targs=""
    if [ -n "${tbits}" ]; then
      for t in $tbits; do
         targs="${targs} -addtrust ${t}"
      done
    fi
    if [ -n "${targs}" ]; then
      echo "legacy enable flags $targs for ${f}" >> info.trust
      openssl x509 -text -in "${f}" -trustout ${targs} -setalias "${alias}" >> ${srcdir}/${pkgname}-${pkgver}/ca-bundle.legacy.enable.crt
    fi
  done

  for f in legacy-disable/*.crt; do 
    echo "processing ${f}"
    tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' ${f}`
    alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'`
    targs=""
    if [ -n "${tbits}" ]; then
      for t in ${tbits}; do
         targs="${targs} -addtrust ${t}"
      done
    fi
    if [ -n "${targs}" ]; then
      echo "legacy disable flags $targs for ${f}" >> info.trust
      openssl x509 -text -in "${f}" -trustout ${targs} -setalias "${alias}" >> ${srcdir}/${pkgname}-${pkgver}/ca-bundle.legacy.disable.crt
    fi
  done

  local P11FILES=`find . -name "*.p11-kit" | wc -l`
  if [ ${P11FILES} -ne 0 ]; then
    for p in *.p11-kit; do 
      cat "${p}" >> ${srcdir}/${pkgname}-${pkgver}/ca-bundle.supplement.p11-kit
    done
  fi
  cat trust-fixes >> ${srcdir}/${pkgname}-${pkgver}/ca-bundle.supplement.p11-kit
}

package() {
  cd ${srcdir}/${pkgname}-${pkgver}
  
  mkdir -p ${pkgdir}/usr/{bin,lib,share}
  mkdir -p ${pkgdir}/etc
  mkdir -p ${pkgdir}/usr/share/man/man8
  
  cp -f sbin/update-ca-trust ${pkgdir}/usr/bin/
  cp -f sbin/update-ca-trust.8 ${pkgdir}/usr/share/man/man8/

  # for p11-kit
  mkdir -p ${pkgdir}/usr/lib/p11-kit
  cp -f sbin/update-ca-trust ${pkgdir}/usr/lib/p11-kit/p11-kit-extract-trust

  mkdir -p ${pkgdir}/usr/share/pki/ca-trust-source
  for file in ca-bundle.{trust.crt,neutral-trust.crt,supplement.p11-kit,legacy.enable.crt,legacy.disable.crt}
  do
    cp -f $file ${pkgdir}/usr/share/pki/ca-trust-source
  done

  # touch all files overwritten by update-ca-trust for easy cleanup
  mkdir -p ${pkgdir}/etc/pki/ca-trust/{extracted,legacy,source}
  mkdir -p ${pkgdir}/etc/pki/ca-trust/source/{anchors,blacklist}
  mkdir -p ${pkgdir}/etc/pki/ca-trust/extracted/{openssl,pem,java}
  touch ${pkgdir}/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
  touch ${pkgdir}/etc/pki/ca-trust/extracted/pem/{tls,email,objsign}-ca-bundle.pem
  touch ${pkgdir}/etc/pki/ca-trust/extracted/java/cacerts

  # for OpenSSL and static ca-certificates consumers
  mkdir -p ${pkgdir}/usr/ssl/certs
  cp -f ${pkgdir}/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem ${pkgdir}/usr/ssl/certs/ca-bundle.crt
  cp -f ${pkgdir}/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem ${pkgdir}/usr/ssl/cert.pem
  cp -f ${pkgdir}/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt ${pkgdir}/usr/ssl/certs/ca-bundle.trust.crt
  
  install -t "${pkgdir}/etc/pki/ca-trust/source/anchors" -m644 ${srcdir}/CAcert.org_root.crt
  install -t "${pkgdir}/etc/pki/ca-trust/source/anchors" -m644 ${srcdir}/CAcert.org_class3.crt
}
